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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after t he mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

I) D Responsive to communication(s) filed on 20 February 2007 . 
2a)H This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for.allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) S Claim(s) 1-23 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) [3 Claim(s) 1-23 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10)13 The drawing(s) filed on 09 October 2003 is/are: a)S accepted or b)D objected to by the Examiner. 
Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

I I) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)Q Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
a)D All b)D Some * c)D None of: 

1. D Certified copies of the priority documents have been received. 

2. D Certified copies of the priority documents have been received in Application .No. . 

3. Q Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) PaDer No(s)/Mai» Date. . 
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DETAILED ACTION 

1 . The IDS filed on 4/2/2007 has been considered by the examiner. 

2. Claims 24-33 have been cancelled by the applicant in an amendment filed on 
2/20/2007. Claims 1-23 are pending in the application. 

Below, Examiner has pointed out particular references contained in the prior art(s) of 
record in the body of this action for the convenience of the applicant. Although the 
specified citations are representative of the teachings in the art and are applied to the 
specific limitations within the individual claims, other passages and figures may apply as 
well. Applicant should consider the entire prior art as applicable as to the limitations of 
the claims. It is respectfully requested from the applicant, in preparing the response, to 
consider fully each reference in its entirety as potentially teaching all or part of the 
claimed invention, as well as the context of the passage as taught by the prior arts or 
disclosed by the examiner. 

Specification 

4. Objections to the specification have been withdrawn due to applicant amendment 
filed on 2/20/2007. 
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Claim Objections 

5. The following claims are objected to for lack of antecedent basis, 
a.) Claim 7 recites the limitation "the trash collector" in line 5. 



Claim Rejections - 35 USC §112 



6. Claim rejections under USC 112 have been withdrawn in view of the amendment 
filed on 2/20/2007. 

Double Patenting 



12. The nonstatutory double patenting rejection has been withdrawn in view of an 
approved terminal disclaimer filed on 2/20/2007. 



Claim Rejections - 35 USC § 102 



20. The following is a quotation of the appropriate paragraphs of 35 U S C. 102 that 
form the basis for the rejections under this section made in this Office action: - 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 
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21. Claims 1, 2, 8, 12, 13, 23, and 24 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Suuronen et al. (US 2003/0145228), herein after "Suuronen". 

22. Considering Claim 1, Suuronen discloses a network virus/worm monitor (abstract 
lines 3-6, Fig. 1, [0019] lines 2-7), comprising: a network virus/worm sensor (Fig. 
1-item 22, [0021] lines 1-14); and a traffic controller in communication with the 
network (Fig. 1-item 14 and item 16, [0020] the combination of the Firewall and 
Packet Classification Database act as a traffic controller to determine which 
packets get transferred to the network and which packets get forwarded to the 
Virus Scanning Engine); virus/monitor sensor and the network operable in a 
number of modes (Fig 1, [0021] lines 1-14) wherein in a first mode the bandwidth 
of the network is substantially unaffected by the traffic controller during a 
virus/worm sensing operation by the network virus/worm sensor ([0007] lines 5- 
10, [0020] lines 2-9 being able to process packets in real time would mean that 
the bandwidth is unaffected by this process, in a first mode no virus is detected 
and all packets are returned directly to the network), wherein when the network 
virus/worm sensor detects a computer virus or a computer worm in network 
traffic (Fig. 1-item 22 and item 24, page 4, left column, lines 33-34), the 
virus/worm sensor causes the traffic controller to switch to a second mode such 
that only those data packets infected by the detected computer virus or computer 
worm are not returned to the network (Fig. 1, [0020], page 4, left column, lines 4- 
23, packets that are discarded are not returned to the network). 
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23. Considering Claim 13, Suuronen discloses a method of managing network traffic 
by a network virus/worm monitor (abstract lines 3-6, Fig. 1, [0019] lines 2-7), 
having a network virus/worm sensor (Fig. 1-item 22, [0021] lines 1-14), 
comprising: during a virus/worm sensing operation, the bandwidth of the network 
is substantially unaffected by the network virus/worm sensor in a first mode 
([0007] lines 5-10, [0020] lines 2-9 being able to process packets in real time 
would mean that the bandwidth is unaffected by this process, in a first mode no 
virus is detected and all packets are returned directly to the network), wherein 
when the network virus/worm sensor detects a computer virus or a computer 
worm in network traffic (Fig. 1-item 22 and item 24, page 4, left column, lines 33- 
34); and switching when a computer virus or computer worm is detected to a 
second mode such that only those data packets infected by the detected 
computer virus or computer worm are not returned to the network (Fig. 1 , [0020], 
page 4, left column, lines 4-23, packets that are discarded are not returned to the 
network). 

25. Considering Claim 2, Suuronen discloses those data packets deemed to be 
infected by the identified computer virus or computer worm are forwarded to a 
virus/worm analyzer unit coupled to the network computer virus/worm sensor 
([0019] lines 27-32). 
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26. Considering Claim 8, Suuronen discloses in the second mode, only those 
original data packets included in the network traffic suspected of being infected 
by the detected computer virus or computer worm are forwarded by the traffic 
controller to the virus/worm analyzer unit ([0019] lines 27-32). 

27. Considering Claims 12 and 23, Suuronen discloses the first mode is an inline 
mode ([0020] lines 2-9); and wherein the second mode is a standby mode 
([0019] lines 27-32). 

Claim Rejections - 35 USC § 103 

28. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

29. Claims 3-5, 9, 10, 14-16, and 19-21, are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Suuronen in view of Ontiveros et al. (US 2002/0107953), 

herein after "Ontiveros". 
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30. Considering Claims 3 and 14, Suuronen does not disclose in the first mode, 
substantially all data packets included in the network traffic are copied by the 
traffic controller. 

Ontiveros discloses in the first mode, substantially all data packets included in 
the network traffic are copied by the traffic controller ([0035] lines 1-3). 

Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the teachings of Suuronen by copying 
all data packets included in the network traffic as taught by Ontiveros in order to 
maintain throughput of data traffic thereby increasing performance (Ontiveros 
[0035] lines 1-3). 

31 . Considering Claims 4 and 15, the claims are rejected for the same reasons as 
claim 3 and 14 above, Suuronen and Ontiveros disclose substantially all of the 
copied data packets are forwarded to the virus/worm analyzer unit (Suuronen- 
[001 9] lines 27-32, Ontiveros- [0035] lines 1 -3). 

32. Considering Claims 5 and 16, the claims are rejected for the same reasons as 
claim 3 and 14 above, Suuronen and Ontiveros disclose the copied data packet 
is forwarded to a packet protocol determinator that determines if the packet 
protocol of the copied data packet is of a first set of protocols (Suuronen- Fig 1- 
item 16, [0019] lines 7-14, Ontiveros [0035] lines 1-3). 
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33. Considering Claim 9, Suuronen and Ontiveros disclose the original data packet 
is forwarded to a packet protocol determinator that determines if the packet 
protocol of a copied data packet is infected by the detected computer virus or 
computer worm (Suuronen- [Fig 1-16, [0019] lines 7-14, Ontiveros [00365] lines 
1-3). 

34. Considering Claim 10, Suuronen discloses a network interface arranged to 
return to the network traffic only those original data packets determined to be of a 
second set of protocols ([0019] lines 14-18), wherein the filescan unit receives 
and analyzes those original data packets determined to be of a second set of 
protocols ([0021] lines 1-14]). 

35. Considering Claim 19, Suuronen discloses in the second mode, only those 
original data packets included in the network traffic suspected of being infected 
by the detected computer virus or computer worm are forwarded by the traffic 
controller to the virus/worm analyzer unit ([001 9] lines 27-32). 

36. Considering Claim 20, the claims are rejected for the same reasons as claim 3 
and 14 above, Suuronen and Ontiveros disclose the original data packet is 
forwarded to a packet protocol determinator that determines if the packet 
protocol of the copied data packet is of a second set of protocols (Suuronen- [Fig 
1-item 16, [0019] lines 7-14, Ontiveros- [0035] lines 1-3). 
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37. Considering Claim 21, Suuronen discloses a network interface arranged to 
return to the network traffic only those original data packets determined to be of a 
protocol not likely to be infected by the detected computer virus or computer 
worm ([0019] lines 14-18), wherein the filescan unit receives and analyzes those 
original data packets determined to be of a protocol likely to be infected by the 
detected computer virus or computer worm ([0021] lines 1-14]). 

38. Claims 6 and 17 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Suuronen in view of Ontiveros in further view of Balissat et al. (US 
2003/0191963), herein after "Balissat". 

39. Considering Claims 6 and 17, Suuronen and Ontiveros disclose a filescan unit 
arranged to receive and analyze those copied data packets determined to be of a 
protocol likely to be infected by the detected computer virus or computer worm 
(Suuronen- [0021] lines 1-14], Ontiveros- [0035] lines 1-3). 

Suuronen and Ontiveros do not disclose a trash collector arranged to receive 
those copied data packets determined to be of a first set of one or more 
protocols. 

Balissat discloses a trash collector arranged to receive those copied data 
packets determined to be of a first set of one of more protocols ([0096] lines 10- 
14). 



Application/Control Number: 10/683,579 Page 10 

Art Unit: 2135 

Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the teachings of Suuronen and 
Ontiveros by discarding the copied packets to a trash collector as taught by 
Balissat for the benefit of discarding the packets and not returning them to the 
network increasing storage space and efficiency. 

40. Claims 7 and 18 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Suuronen, Ontiveros and Balissat in further view of Wells (US 6,338,141). 

41 . Considering Claims 7 and 18, Suuronen, Ontiveros and Balissat discloses a 
virus/worm analyzer unit arranged to determine if those copied data packets 
received at the filescan unit are infected by the detected computer virus or 
computer worm (Suuronen- [0021] lines 1-14], Ontiveros- [0035] lines 1-3); 
wherein those packets determined not to be infected are forwarded to the trash 
collector (Balissat- [0096] lines 10-14); 

Suuronen, Ontiveros and Balissat do not disclose a virus analysis unit arranged 
to analyze the infected copied data packets and a virus report module arranged 
to generate a virus report based upon the analysis. 

Wells does disclose a virus analysis unit arranged to analyze the infected copied 
data packets (column 2 lines 47-53) and a virus report module arranged to 
generate a virus report based upon the analysis (column 2 lines 47-53 the output 
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from the analysis-implementation that is used to update the virus detection 
database is a report). 

Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the teachings of Suuronen, Ontiveros, 
and Balissat by a virus analysis unit that generates a virus report as taught by 
Wells for the benefit of providing virus updates to the virus detection system 
(Wells- column 2 lines 50 -53). 

46. Claim 11 and 22 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Suuronen in view of Ontiveros in further view of Wells. 

47. Considering Claims 11 and 22, Suuronen discloses the virus/worm analyzer unit 
determines if those original data packets received at the filescan unit are infected 
by the detected computer virus or computer worm ([0021] lines 7-14); wherein 
those packets determined not to be infected are forwarded to the network 
interface for return to the network traffic ([0021] lines 21-22). 

Suuronen and Ontiveros do not disclose the virus analysis unit analyzes the 
infected original data packets and the virus report module generates a virus 
report based upon the analysis. 

Wells does disclose the virus analysis unit analyzes the infected original data 
packets (column 2 lines 47-53) and the virus report module generates a virus 
report based upon the analysis (column 2 lines 47-53 the output from the 
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analysis-implementation that is used to update the virus detection database is a 
report). 

Therefore, it would have been obvious to one of ordinary skill in the art at 
the time the invention was made to modify the teachings of Suuronen and 
Ontiveros by a virus analysis unit that generates a virus report as taught by Wells 
for the benefit of providing virus updates to the virus detection system (Wells- 
column 2 lines 50-53). 

Response to Arguments 



1 . Applicants arguments filed 2/20/2007 have been fully considered but they are not 
persuasive. 

2. Regarding Claims 1, 2, 8, 12, 13, 23, and 24, applicants arguments have been 
fully considered but they are not persuasive. With respect to applicants argument that 
Suuronen fails to teach the traffic controller switching to a second mode such that only 
certain data packets infected by the virus are not returned to the network. Examiner 
disagrees and directs the applicant to Suuronen- [0020], Fig. 1. Suuronen discloses 
"The processing of the data packets by the firewall 14 to divide them into first and 
second types provides an early classification of the packets. ..to eliminate transmission 
of data packets to the virus scanning engine 22 which can reliably be determined to not 
contain viruses... Early classification improves the performance of the gateway 12 and 
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further permits data packets from the virus containing packet stream (or from the 
originating host) to be readily discarded by use of simple and fast firewall rules that are 
added when a virus is encountered. If viruses are found, the virus sending processor 
may be black listed so that no traffic from the virus sending processor passes the 
firewall in the future." This indicates that a first and second type of packet determines 
whether the instant packet would be passed directly to the destination or be forwarded 
to virus scan engine for further analysis; thus, the firewall is operating in a plurality of 
modes. A first mode would consist of finding a packet that can be readily determined 
not to contain viruses and allowing it to pass unimpeded into the network. The second 
mode would consist of sensing a protocol that could potentially contain a virus and 
sending that packet to the virus-scanning engine for further analysis. 



Conclusion 



1 . THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
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the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 



2. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Randal D. Moran whose telephone number is 571-270- 
1255. The examiner can normally be reached on M-F: 7:00 - 4:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Randal D. Moran 
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